This message was deleted.

hmm using any image with the

latest

tag is not a good idea, so I'd listen to the service and rather tag the image with commit SHA (or version or anything) on rebuild. And simple dev purposes you can always push 2 tags. 1 with SHA and 2nd latest

Ye, that's exactly what our work around is, but I'd still like to know if this is possible. I can definitely see use cases where you don't want to have to reconfigure a lambda every time an image updates.

I think this is by design so Pulumi has nothing to do with it. https://docs.aws.amazon.com/cli/latest/reference/lambda/update-function-code.html#description The best you can do is to work around it with yet another lambda triggered by ECR and it will update the target lambdas image. The problem with

latest

and

lambda

is concurrency. Imagine your lambda is executed 100k times in parallel with a small-time drift. And somewhere in between 50k - 70k you update the image. You'd end up with half of your code executed using a new version and half the old version. (pure nightmare) Alternative would be that lambda has to pull the image every time, but that's not possible because of Cold/Hot state lambda has. So any use cases considering not updating the lambda should be seriously reconsidered or use a different service.